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Information Commissioner's Office 


ICO consultation on the draft right of access 
guidance 


The right of access (known as subject access) is a fundamental right 
of the General Data Protection Regulation (GDPR). It allows 
individuals to find out what personal data is held about them and to 
obtain a copy of that data. Following on from our initial GDPR 
guidance on this right (published in April 2018), the ICO has now 
drafted more detailed guidance which explains in greater detail the 
rights that individuals have to access their personal data and the 
obligations on controllers. The draft guidance also explores the 
special rules involving certain categories of personal data, how to 
deal with requests involving the personal data of others, and the 
exemptions that are most likely to apply in practice when handling a 
request. 


We are running a consultation on the draft guidance to gather the views 
of stakeholders and the public. These views will inform the published 
version of the guidance by helping us to understand the areas where 
organisations are seeking further clarity, in particular taking into 
account their experiences in dealing with subject access requests since 
May 2018. 


If you would like further information about the consultation, please 


email SARguidance@ico.org.uk. 


Please send us your response by 17:00 on Wednesday 12 February 
2020. 


Privacy statement 


For this consultation, we will publish all responses received from 
organisations but we will remove any personal data before 
publication. We will not publish responses received from respondents 
who have indicated that they are an individual acting in a private 
capacity (e.g. a member of the public). For more information about 
what we do with personal data see our privacy notice. 


Please note, your responses to this survey will be used to help us with 
our work on the right of access only. The information will not be used to 


consider any regulatory action, and you may respond anonymously 
should you wish. 


Please note that we are using the platform Snap Surveys to gather 
this information. Any data collected by Snap Surveys for ICO is 


stored on UK servers. You can read their Privacy Policy. 


Q1 


Q2 


Q3 


Does the draft guidance cover the relevant issues about the right of access? 

Yes 

No 

Unsure / don't know 

If no or unsure/don't know, what other issues would you like to be covered in it? 


ON 
1 ] 
Caer, 


Does the draft guidance contain the right level of detail? 
“> Yes 

No 

Unsure / don't know 


If no or unsure/don't know, in what areas should there be more detail within the draft 
guidance? 


Does the draft guidance contain enough examples? 
© Yes 

No 

Unsure / don't know 


If no or unsure/don’t know, please provide any examples that think should be 
included in the draft guidance. 


Q4 


Q5 


Q6 


Q7 


We have found that data protection professionals often struggle with applying and 
defining ‘manifestly unfounded or excessive’ subject access requests. We would 
like to include a wide range of examples from a variety of sectors to help you. 
Please provide some examples of manifestly unfounded and excessive requests 
below (if applicable). 


Would this be considered excessive? 

We had a customer with whom we had an extensive and deteriorating relationship, 
who requested every piece of correspondence and the transcripts of all call 
recordings. We had initially provided the information on an encrypted USB stick but 


once having received this, the individual then requested transcripts and hard copies 
of everything - despite the original request coming in on email. The final tally 
amounted to hundreds of pages of information and took up 72 man hours. 


On a scale of 1-5 how useful is the draft guidance? 


3- 
1- Not at all 2 -— Slightly Moderately 4- Very 5- Extremely 
useful useful useful useful useful 


TN 
i ! 
Need 


Why have you given this score? 


The document provides a certain clarity on issues that have concerned us, especially 
relating to requests from Third Party Online Providers which is an issue that has 
increasingly concerned us. From the start we have been uncomfortable about using 
them, both as to their motivation and to the security of their set-ups. We have been 


delighted to see this covered off unequivocally in the Third Party Online as previous 
advice from the ICO has been less clear. 


To what extent do you agree that the draft guidance is clear and easy to understand? 


Strongly 


Strongly Neither agree agree 


disagree Disagree nor disagree Agree 


Q8 


Q9 


Q10 


Please provide any further comments or suggestions you may have about the draft 
guidance. 


On page 22 you discuss the idea that the purpose of a SAR request is irrelevant. We 
are concerned about Third party Online providers encouraging frivolous requests 
(possibly even vexatious) in return for “gifts”. The sole reason for requesting the 
information is to receive a benefit not a need to receive the personal data. We feel 
without the incentives it is very unlikely the Data Subjects would have made the 
requests. The Third Party Online Providers have set up this service to make money 
and for no other reason. We feel that this is not within the spirit of the GDPR and 
wonder if this element could be addressed in the Third Party Online section? 


The guidance relating to asking for clarification of a request within the month is 
counterproductive. A subject may take the full month to come back to state that they 
want a fraction of the original request, meanwhile the request has been met fully in 
order to be time compliant. This would seem to be a huge waste of effort and will not 
deliver what the data subject actually wants. 


Are you answering as: 


An individual acting in a private capacity (eg someone providing their views as a 
member of the public) 


An individual acting in a professional capacity 
“ On behalf of an organisation 

Other 
Please specify the name of your organisation: 


Animal Friends Insurance Services 


What sector are you from: 


Insurance 


How did you find out about this survey? 
ICO Twitter account 
ICO Facebook account 
ICO LinkedIn account 
ICO website 

» ICO newsletter 
ICO staff member 
Colleague 
Personal/work Twitter account 
Personal/work Facebook account 
Personal/work LinkedIn account 
Other 

If other please specify: 


a 


FIR 


Thank you for taking the time to complete the survey. 


